Skip to main content

Livemesh WPBakery Addons EUVDEUVD-2026-41310

| CVE-2026-57754 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-02 Patchstack GHSA-vq29-gpgr-jh2f
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Contributor account required (PR:L), victim interaction needed (UI:R), scope changes to victim browser (S:C); no availability impact from XSS alone.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 12:30 vuln.today

DescriptionCVE.org

Contributor Cross Site Scripting (XSS) in Livemesh Addons for WPBakery Page Builder <= 3.9.4 versions.

AnalysisAI

Stored Cross-Site Scripting in Livemesh Addons for WPBakery Page Builder versions 3.9.4 and earlier allows authenticated Contributors to inject persistent malicious scripts into WordPress pages. When a higher-privileged user such as an Editor or Administrator views the affected content, the injected script executes in their browser session - enabling session hijacking, credential theft, or privilege escalation within the WordPress admin panel. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or compromise Contributor account
Delivery
Craft post with XSS payload in Livemesh widget field
Exploit
Submit draft for editorial review
Execution
Privileged user previews content
Persist
Injected script executes in admin browser
Impact
Steal session cookie or create rogue admin account

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to hold a valid Contributor-level (or higher) account on the target WordPress site - unauthenticated exploitation is not possible given PR:L in the CVSS vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) scores 6.5, reflecting a moderate-severity finding. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or obtains a Contributor account on a target WordPress site and creates a new post or page using the WPBakery Page Builder, embedding a malicious JavaScript payload within a Livemesh addon widget field. When an Editor or Administrator later opens that draft for review or preview, the stored script executes in their authenticated browser session - allowing the attacker to exfiltrate the admin's session cookie, create a new admin account via authenticated AJAX, or install a malicious plugin. …
Remediation Patch available per vendor advisory - update Livemesh Addons for WPBakery Page Builder to a version beyond 3.9.4 as detailed in the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/addons-for-visual-composer/vulnerability/wordpress-livemesh-addons-for-wpbakery-page-builder-plugin-3-9-4-cross-site-scripting-xss-vulnerability-2. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-41310 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy